@resistdesign/voltra 3.0.0-alpha.39 → 3.0.0-alpha.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +47 -0
  2. package/iac/packs/auth.d.ts +31 -30
  3. package/iac/packs/gateway.d.ts +5 -2
  4. package/iac/packs/index.js +309 -322
  5. package/package.json +1 -1
  6. package/iac/packs/auth/user-management.d.ts +0 -106
package/README.md CHANGED
@@ -64,6 +64,53 @@ import { addDNS } from "@resistdesign/voltra/iac/packs";
64
64
  import { getTypeInfoMapFromTypeScript } from "@resistdesign/voltra/build";
65
65
  ```
66
66
 
67
+ ### IaC Auth/Gateway Example
68
+
69
+ `addGateway` authorizer provider ARNs can use CloudFormation intrinsics:
70
+
71
+ ```ts
72
+ import { addGateway } from "@resistdesign/voltra/iac/packs";
73
+ import { SimpleCFT } from "@resistdesign/voltra/iac";
74
+
75
+ new SimpleCFT().applyPack(addGateway, {
76
+ id: "ApiGateway",
77
+ hostedZoneId: { Ref: "HostedZoneId" },
78
+ domainName: { Ref: "ApiDomainName" },
79
+ certificateArn: { Ref: "ApiCertificateArn" },
80
+ cloudFunction: { id: "ApiFunction" },
81
+ authorizer: {
82
+ providerARNs: [{ "Fn::GetAtt": ["MyUserPool", "Arn"] }],
83
+ },
84
+ });
85
+ ```
86
+
87
+ `addAuth` can pass partial user-management id overrides without changing all defaults:
88
+
89
+ ```ts
90
+ import { addAuth } from "@resistdesign/voltra/iac/packs";
91
+ import { SimpleCFT } from "@resistdesign/voltra/iac";
92
+
93
+ new SimpleCFT().applyPack(addAuth, {
94
+ userManagementId: "UserPool",
95
+ userManagementIds: {
96
+ userPool: "MyUserPool",
97
+ userPoolClient: "MyUserPoolClient",
98
+ },
99
+ authRoleName: "AuthRole",
100
+ unauthRoleName: "UnauthRole",
101
+ apiCloudFunctionGatewayId: "ApiGateway",
102
+ apiStageName: "prod",
103
+ adminGroupId: "AdminGroup",
104
+ userManagementAdminGroupName: "admins",
105
+ hostedZoneIdParameterName: "HostedZoneId",
106
+ domainNameParameterName: "DomainName",
107
+ sslCertificateId: "CertificateArn",
108
+ mainCDNCloudFrontId: "MainCDN",
109
+ callbackUrls: ["https://example.com/callback"],
110
+ logoutUrls: ["https://example.com/logout"],
111
+ });
112
+ ```
113
+
67
114
  ------------
68
115
 
69
116
  ## Build-time Type Parsing (Advanced)
package/iac/packs/auth.d.ts CHANGED
@@ -1,9 +1,23 @@
1
+ /**
2
+ * Optional logical ids for resources generated by {@link addAuth}.
3
+ */
4
+ export type UserManagementIds = {
5
+ userPool?: string;
6
+ userPoolClient?: string;
7
+ identityPool?: string;
8
+ authRole?: string;
9
+ unauthRole?: string;
10
+ roleAttachment?: string;
11
+ domain?: string;
12
+ domainRecord?: string;
13
+ baseDomainRecord?: string;
14
+ };
1
15
  /**
2
16
  * Configuration for the auth pack.
3
17
  */
4
18
  export type AddAuthConfigBase = {
5
19
  /**
6
- * Cognito user pool resource id.
20
+ * Base id for Cognito resources.
7
21
  */
8
22
  userManagementId: string;
9
23
  /**
@@ -15,11 +29,11 @@ export type AddAuthConfigBase = {
15
29
  */
16
30
  unauthRoleName: string;
17
31
  /**
18
- * API Gateway REST API id for the backend.
32
+ * API Gateway REST API id for authenticated access.
19
33
  */
20
34
  apiCloudFunctionGatewayId: string;
21
35
  /**
22
- * API Gateway stage name for the backend.
36
+ * API Gateway stage name for authenticated access.
23
37
  */
24
38
  apiStageName: string;
25
39
  /**
@@ -30,11 +44,23 @@ export type AddAuthConfigBase = {
30
44
  * Cognito group name for admins.
31
45
  */
32
46
  userManagementAdminGroupName: string;
47
+ /**
48
+ * Optional explicit logical ids for generated user-management resources.
49
+ *
50
+ * @example
51
+ * ```ts
52
+ * userManagementIds: {
53
+ * userPool: "MyUserPool",
54
+ * userPoolClient: "MyUserPoolClient",
55
+ * }
56
+ * ```
57
+ */
58
+ userManagementIds?: UserManagementIds;
33
59
  };
34
60
  /**
35
61
  * Configuration for adding auth resources including a user pool domain with
36
62
  * callback and logout URLs.
37
- * */
63
+ */
38
64
  export type AddAuthConfigWithUserPoolDomain = AddAuthConfigBase & {
39
65
  /**
40
66
  * Enable Cognito Hosted UI/OAuth redirect mode by creating a custom user pool
@@ -49,65 +75,40 @@ export type AddAuthConfigWithUserPoolDomain = AddAuthConfigBase & {
49
75
  enableUserPoolDomain?: true;
50
76
  /**
51
77
  * Parameter name for the Route53 hosted zone id that owns `domainName`.
52
- *
53
- * Required when `enableUserPoolDomain` is not `false`.
54
78
  */
55
79
  hostedZoneIdParameterName: string;
56
80
  /**
57
81
  * Parameter name for the base domain used for the auth subdomain.
58
- *
59
- * The pack creates a Cognito domain at `auth.<base-domain>`.
60
- * Required when `enableUserPoolDomain` is not `false`.
61
82
  */
62
83
  domainNameParameterName: string;
63
84
  /**
64
85
  * ACM certificate resource id (in `us-east-1`) for the Cognito custom
65
86
  * domain.
66
- *
67
- * Required when `enableUserPoolDomain` is not `false`.
68
87
  */
69
88
  sslCertificateId: string;
70
89
  /**
71
90
  * CloudFront distribution resource id used as the base-domain alias target.
72
- *
73
- * This is used for the root/base domain record before creating the auth
74
- * subdomain record.
75
91
  */
76
92
  mainCDNCloudFrontId: string;
77
93
  /**
78
94
  * OAuth callback URLs for Hosted UI/federated redirect flows.
79
- *
80
- * These must be valid redirect URLs accepted by Cognito for the app client.
81
- * They are required by Cognito when OAuth flows are enabled.
82
95
  */
83
96
  callbackUrls: any[];
84
97
  /**
85
98
  * OAuth logout redirect URLs for Hosted UI sign-out.
86
- *
87
- * These should match the application routes users are redirected to after
88
- * logout.
89
99
  */
90
100
  logoutUrls: any[];
91
101
  /**
92
102
  * Supported identity providers for Hosted UI/OAuth flows.
93
- *
94
- * Defaults to `["COGNITO"]`.
95
- * Use Cognito provider names such as `"COGNITO"`, `"Google"`,
96
- * `"SignInWithApple"`, `"LoginWithAmazon"`, or names for configured OIDC/SAML
97
- * providers.
98
103
  */
99
104
  supportedIdentityProviders?: any[];
100
105
  };
101
106
  /**
102
107
  * Configuration for adding auth resources without a user pool domain.
103
- * */
108
+ */
104
109
  export type AddAuthConfigWithoutUserPoolDomain = AddAuthConfigBase & {
105
110
  /**
106
111
  * Disable Cognito Hosted UI/OAuth redirect configuration.
107
- *
108
- * In this mode, the generated user pool client disables OAuth hosted-UI flows
109
- * (`AllowedOAuthFlowsUserPoolClient: false`) so callback/logout/provider
110
- * settings are intentionally disallowed.
111
112
  */
112
113
  enableUserPoolDomain: false;
113
114
  hostedZoneIdParameterName?: never;
package/iac/packs/gateway.d.ts CHANGED
@@ -9,8 +9,11 @@ export declare const DEFAULT_AUTH_TYPE = "COGNITO_USER_POOLS";
9
9
  export type AddGatewayAuthorizerConfig = {
10
10
  /**
11
11
  * Cognito provider ARNs for authorization.
12
+ *
13
+ * Accepts literal strings or CloudFormation intrinsics (for example
14
+ * `{"Fn::GetAtt": ["UserPool", "Arn"]}`).
12
15
  */
13
- providerARNs?: string[];
16
+ providerARNs?: CloudFormationPrimitiveValue<string>[];
14
17
  /**
15
18
  * Authorization scopes to require.
16
19
  */
@@ -22,7 +25,7 @@ export type AddGatewayAuthorizerConfig = {
22
25
  /**
23
26
  * Identity source expression for authorization.
24
27
  */
25
- identitySource?: string;
28
+ identitySource?: CloudFormationPrimitiveValue<string>;
26
29
  };
27
30
  /**
28
31
  * Configuration for the API Gateway pack.
package/iac/packs/index.js CHANGED
@@ -2,370 +2,357 @@ import { createResourcePack, SimpleCFT } from '../../chunk-ATO2455Q.js';
2
2
  import '../../chunk-I2KLQ2HA.js';
3
3
  import YAML from 'yaml';
4
4
 
5
- // src/iac/packs/auth/user-management.ts
6
- var addUserManagement = createResourcePack(
7
- (config) => {
8
- const {
9
- id,
10
- authRoleName,
11
- unauthRoleName,
12
- callbackUrls,
13
- logoutUrls,
14
- apiGatewayRESTAPIId,
15
- apiStageName
16
- } = config;
17
- const isUserPoolDomainEnabled = config.enableUserPoolDomain !== false;
18
- const supportedIdentityProviders = isUserPoolDomainEnabled && "supportedIdentityProviders" in config && config.supportedIdentityProviders && config.supportedIdentityProviders.length > 0 ? config.supportedIdentityProviders : ["COGNITO"];
19
- const apiRoleConfig = apiGatewayRESTAPIId && apiStageName ? {
20
- [`${id}IdentityPoolRoles`]: {
21
- Type: "AWS::Cognito::IdentityPoolRoleAttachment",
22
- Properties: {
23
- IdentityPoolId: {
24
- Ref: `${id}IdentityPool`
5
+ // src/iac/packs/auth.ts
6
+ var resolveUserManagementIds = (baseId, ids) => ({
7
+ userPool: ids?.userPool || baseId,
8
+ userPoolClient: ids?.userPoolClient || `${baseId}Client`,
9
+ identityPool: ids?.identityPool || `${baseId}IdentityPool`,
10
+ authRole: ids?.authRole || `${baseId}AuthRole`,
11
+ unauthRole: ids?.unauthRole || `${baseId}UnauthRole`,
12
+ roleAttachment: ids?.roleAttachment || `${baseId}IdentityPoolRoles`,
13
+ domain: ids?.domain || `${baseId}Domain`,
14
+ domainRecord: ids?.domainRecord || `${baseId}DomainRecord`,
15
+ baseDomainRecord: ids?.baseDomainRecord || `${baseId}BaseDomainRecord`
16
+ });
17
+ var addAuth = createResourcePack((config) => {
18
+ const {
19
+ userManagementId,
20
+ userManagementIds,
21
+ authRoleName,
22
+ unauthRoleName,
23
+ apiCloudFunctionGatewayId,
24
+ apiStageName,
25
+ adminGroupId,
26
+ userManagementAdminGroupName
27
+ } = config;
28
+ const resolvedIds = resolveUserManagementIds(
29
+ userManagementId,
30
+ userManagementIds
31
+ );
32
+ const isUserPoolDomainEnabled = config.enableUserPoolDomain !== false;
33
+ const supportedIdentityProviders = isUserPoolDomainEnabled && "supportedIdentityProviders" in config && config.supportedIdentityProviders && config.supportedIdentityProviders.length > 0 ? config.supportedIdentityProviders : ["COGNITO"];
34
+ const apiRoleConfig = {
35
+ [resolvedIds.roleAttachment]: {
36
+ Type: "AWS::Cognito::IdentityPoolRoleAttachment",
37
+ Properties: {
38
+ IdentityPoolId: {
39
+ Ref: resolvedIds.identityPool
40
+ },
41
+ Roles: {
42
+ authenticated: {
43
+ "Fn::GetAtt": [resolvedIds.authRole, "Arn"]
25
44
  },
26
- Roles: {
27
- authenticated: {
28
- "Fn::GetAtt": [`${id}AuthRole`, "Arn"]
29
- },
30
- unauthenticated: {
31
- "Fn::GetAtt": [`${id}UnauthRole`, "Arn"]
32
- }
45
+ unauthenticated: {
46
+ "Fn::GetAtt": [resolvedIds.unauthRole, "Arn"]
33
47
  }
34
48
  }
35
- },
36
- [`${id}AuthRole`]: {
37
- Type: "AWS::IAM::Role",
38
- Properties: {
39
- RoleName: authRoleName,
40
- Path: "/",
41
- AssumeRolePolicyDocument: {
42
- Version: "2012-10-17",
43
- Statement: [
44
- {
45
- Effect: "Allow",
46
- Principal: {
47
- Federated: "cognito-identity.amazonaws.com"
48
- },
49
- Action: ["sts:AssumeRoleWithWebIdentity"],
50
- Condition: {
51
- StringEquals: {
52
- "cognito-identity.amazonaws.com:aud": {
53
- Ref: `${id}IdentityPool`
54
- }
55
- },
56
- "ForAnyValue:StringLike": {
57
- "cognito-identity.amazonaws.com:amr": "authenticated"
58
- }
59
- }
60
- }
61
- ]
62
- },
63
- Policies: [
49
+ }
50
+ },
51
+ [resolvedIds.authRole]: {
52
+ Type: "AWS::IAM::Role",
53
+ Properties: {
54
+ RoleName: authRoleName,
55
+ Path: "/",
56
+ AssumeRolePolicyDocument: {
57
+ Version: "2012-10-17",
58
+ Statement: [
64
59
  {
65
- PolicyName: "CognitoAuthorizedPolicy",
66
- PolicyDocument: {
67
- Version: "2012-10-17",
68
- Statement: [
69
- {
70
- Effect: "Allow",
71
- Action: [
72
- "mobileanalytics:PutEvents",
73
- "cognito-sync:*",
74
- "cognito-identity:*"
75
- ],
76
- Resource: "*"
77
- },
78
- {
79
- Effect: "Allow",
80
- Action: ["execute-api:Invoke"],
81
- Resource: {
82
- "Fn::Sub": [
83
- "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
84
- {
85
- Region: {
86
- Ref: "AWS::Region"
87
- },
88
- AccountId: {
89
- Ref: "AWS::AccountId"
90
- },
91
- APIID: apiGatewayRESTAPIId,
92
- StageName: apiStageName,
93
- HTTPVerb: "*"
94
- }
95
- ]
96
- }
60
+ Effect: "Allow",
61
+ Principal: {
62
+ Federated: "cognito-identity.amazonaws.com"
63
+ },
64
+ Action: ["sts:AssumeRoleWithWebIdentity"],
65
+ Condition: {
66
+ StringEquals: {
67
+ "cognito-identity.amazonaws.com:aud": {
68
+ Ref: resolvedIds.identityPool
97
69
  }
98
- ]
70
+ },
71
+ "ForAnyValue:StringLike": {
72
+ "cognito-identity.amazonaws.com:amr": "authenticated"
73
+ }
99
74
  }
100
75
  }
101
76
  ]
102
- }
103
- },
104
- [`${id}UnauthRole`]: {
105
- Type: "AWS::IAM::Role",
106
- Properties: {
107
- RoleName: unauthRoleName,
108
- Path: "/",
109
- AssumeRolePolicyDocument: {
110
- Version: "2012-10-17",
111
- Statement: [
112
- {
113
- Effect: "Allow",
114
- Principal: {
115
- Federated: "cognito-identity.amazonaws.com"
77
+ },
78
+ Policies: [
79
+ {
80
+ PolicyName: "CognitoAuthorizedPolicy",
81
+ PolicyDocument: {
82
+ Version: "2012-10-17",
83
+ Statement: [
84
+ {
85
+ Effect: "Allow",
86
+ Action: [
87
+ "mobileanalytics:PutEvents",
88
+ "cognito-sync:*",
89
+ "cognito-identity:*"
90
+ ],
91
+ Resource: "*"
116
92
  },
117
- Action: ["sts:AssumeRoleWithWebIdentity"],
118
- Condition: {
119
- StringEquals: {
120
- "cognito-identity.amazonaws.com:aud": {
121
- Ref: `${id}IdentityPool`
122
- }
123
- },
124
- "ForAnyValue:StringLike": {
125
- "cognito-identity.amazonaws.com:amr": "unauthenticated"
93
+ {
94
+ Effect: "Allow",
95
+ Action: ["execute-api:Invoke"],
96
+ Resource: {
97
+ "Fn::Sub": [
98
+ "arn:aws:execute-api:${Region}:${AccountId}:${APIID}/${StageName}/${HTTPVerb}/api/*",
99
+ {
100
+ Region: {
101
+ Ref: "AWS::Region"
102
+ },
103
+ AccountId: {
104
+ Ref: "AWS::AccountId"
105
+ },
106
+ APIID: {
107
+ Ref: apiCloudFunctionGatewayId
108
+ },
109
+ StageName: apiStageName,
110
+ HTTPVerb: "*"
111
+ }
112
+ ]
126
113
  }
127
114
  }
128
- }
129
- ]
130
- },
131
- Policies: [
115
+ ]
116
+ }
117
+ }
118
+ ]
119
+ }
120
+ },
121
+ [resolvedIds.unauthRole]: {
122
+ Type: "AWS::IAM::Role",
123
+ Properties: {
124
+ RoleName: unauthRoleName,
125
+ Path: "/",
126
+ AssumeRolePolicyDocument: {
127
+ Version: "2012-10-17",
128
+ Statement: [
132
129
  {
133
- PolicyName: "CognitoUnauthorizedPolicy",
134
- PolicyDocument: {
135
- Version: "2012-10-17",
136
- Statement: [
137
- {
138
- Effect: "Allow",
139
- Action: [
140
- "mobileanalytics:PutEvents",
141
- "cognito-sync:*",
142
- "cognito-identity:*"
143
- ],
144
- Resource: "*"
130
+ Effect: "Allow",
131
+ Principal: {
132
+ Federated: "cognito-identity.amazonaws.com"
133
+ },
134
+ Action: ["sts:AssumeRoleWithWebIdentity"],
135
+ Condition: {
136
+ StringEquals: {
137
+ "cognito-identity.amazonaws.com:aud": {
138
+ Ref: resolvedIds.identityPool
145
139
  }
146
- ]
140
+ },
141
+ "ForAnyValue:StringLike": {
142
+ "cognito-identity.amazonaws.com:amr": "unauthenticated"
143
+ }
144
+ }
145
+ }
146
+ ]
147
+ },
148
+ Policies: [
149
+ {
150
+ PolicyName: "CognitoUnauthorizedPolicy",
151
+ PolicyDocument: {
152
+ Version: "2012-10-17",
153
+ Statement: [
154
+ {
155
+ Effect: "Allow",
156
+ Action: [
157
+ "mobileanalytics:PutEvents",
158
+ "cognito-sync:*",
159
+ "cognito-identity:*"
160
+ ],
161
+ Resource: "*"
162
+ }
163
+ ]
164
+ }
165
+ }
166
+ ]
167
+ }
168
+ }
169
+ };
170
+ const userPoolDomainConfig = config.enableUserPoolDomain === false ? {} : {
171
+ [resolvedIds.baseDomainRecord]: {
172
+ Type: "AWS::Route53::RecordSet",
173
+ DeletionPolicy: "Delete",
174
+ Properties: {
175
+ HostedZoneId: {
176
+ Ref: config.hostedZoneIdParameterName
177
+ },
178
+ Type: "A",
179
+ Name: {
180
+ Ref: config.domainNameParameterName
181
+ },
182
+ AliasTarget: {
183
+ HostedZoneId: "Z2FDTNDATAQYW2",
184
+ DNSName: {
185
+ "Fn::GetAtt": [config.mainCDNCloudFrontId, "DomainName"]
186
+ }
187
+ }
188
+ }
189
+ },
190
+ [resolvedIds.domainRecord]: {
191
+ Type: "AWS::Route53::RecordSet",
192
+ DeletionPolicy: "Delete",
193
+ Properties: {
194
+ HostedZoneId: {
195
+ Ref: config.hostedZoneIdParameterName
196
+ },
197
+ Type: "A",
198
+ Name: {
199
+ "Fn::Sub": [
200
+ "auth.${BaseDomainName}",
201
+ {
202
+ BaseDomainName: {
203
+ Ref: config.domainNameParameterName
147
204
  }
148
205
  }
149
206
  ]
207
+ },
208
+ AliasTarget: {
209
+ HostedZoneId: "Z2FDTNDATAQYW2",
210
+ DNSName: {
211
+ "Fn::GetAtt": [resolvedIds.domain, "CloudFrontDistribution"]
212
+ }
150
213
  }
151
214
  }
152
- } : {};
153
- const userPoolDomainConfig = config.enableUserPoolDomain === false ? {} : {
154
- [`${id}BaseDomainRecord`]: !!config.baseDomainRecordAliasTargetDNSName ? {
155
- Type: "AWS::Route53::RecordSet",
156
- DeletionPolicy: "Delete",
157
- Properties: {
158
- HostedZoneId: config.hostedZoneId,
159
- Type: "A",
160
- Name: config.domainName,
161
- AliasTarget: {
162
- HostedZoneId: "Z2FDTNDATAQYW2",
163
- DNSName: config.baseDomainRecordAliasTargetDNSName
215
+ },
216
+ [resolvedIds.domain]: {
217
+ Type: "AWS::Cognito::UserPoolDomain",
218
+ DependsOn: resolvedIds.baseDomainRecord,
219
+ Properties: {
220
+ Domain: {
221
+ "Fn::Sub": [
222
+ "auth.${BaseDomainName}",
223
+ {
224
+ BaseDomainName: {
225
+ Ref: config.domainNameParameterName
226
+ }
227
+ }
228
+ ]
229
+ },
230
+ UserPoolId: {
231
+ Ref: resolvedIds.userPool
232
+ },
233
+ CustomDomainConfig: {
234
+ CertificateArn: {
235
+ Ref: config.sslCertificateId
164
236
  }
165
237
  }
166
- } : void 0,
167
- [`${id}DomainRecord`]: {
168
- Type: "AWS::Route53::RecordSet",
169
- DeletionPolicy: "Delete",
238
+ }
239
+ }
240
+ };
241
+ const callbackUrls = config.enableUserPoolDomain === false ? void 0 : config.callbackUrls;
242
+ const logoutUrls = config.enableUserPoolDomain === false ? void 0 : config.logoutUrls;
243
+ return new SimpleCFT().patch({
244
+ Resources: {
245
+ [resolvedIds.userPool]: {
246
+ Type: "AWS::Cognito::UserPool",
170
247
  Properties: {
171
- HostedZoneId: config.hostedZoneId,
172
- Type: "A",
173
- Name: {
174
- "Fn::Sub": [
175
- "auth.${BaseDomainName}",
248
+ UserPoolName: {
249
+ "Fn::Sub": [`\${AWS::StackName}${userManagementId}`, {}]
250
+ },
251
+ AccountRecoverySetting: {
252
+ RecoveryMechanisms: [
176
253
  {
177
- BaseDomainName: config.domainName
254
+ Name: "verified_email",
255
+ Priority: 1
178
256
  }
179
257
  ]
180
258
  },
181
- AliasTarget: {
182
- HostedZoneId: "Z2FDTNDATAQYW2",
183
- DNSName: {
184
- "Fn::GetAtt": [`${id}Domain`, "CloudFrontDistribution"]
259
+ AdminCreateUserConfig: {
260
+ AllowAdminCreateUserOnly: false,
261
+ UnusedAccountValidityDays: 365
262
+ },
263
+ AutoVerifiedAttributes: ["email"],
264
+ AliasAttributes: ["phone_number", "email", "preferred_username"],
265
+ Schema: [
266
+ {
267
+ Name: "email",
268
+ Required: true,
269
+ Mutable: true
270
+ },
271
+ {
272
+ Name: "given_name",
273
+ Required: true,
274
+ Mutable: true
275
+ },
276
+ {
277
+ Name: "family_name",
278
+ Required: true,
279
+ Mutable: true
280
+ },
281
+ {
282
+ Name: "phone_number",
283
+ Required: true,
284
+ Mutable: true
185
285
  }
286
+ ],
287
+ DeviceConfiguration: {
288
+ ChallengeRequiredOnNewDevice: true,
289
+ DeviceOnlyRememberedOnUserPrompt: false
290
+ },
291
+ UsernameConfiguration: {
292
+ CaseSensitive: false
186
293
  }
187
294
  }
188
295
  },
189
- [`${id}Domain`]: {
190
- Type: "AWS::Cognito::UserPoolDomain",
191
- DependsOn: !!config.baseDomainRecordAliasTargetDNSName ? `${id}BaseDomainRecord` : void 0,
296
+ [resolvedIds.userPoolClient]: {
297
+ Type: "AWS::Cognito::UserPoolClient",
192
298
  Properties: {
193
- Domain: {
194
- "Fn::Sub": [
195
- "auth.${BaseDomainName}",
196
- {
197
- BaseDomainName: config.domainName
198
- }
199
- ]
299
+ ClientName: {
300
+ "Fn::Sub": [`\${AWS::StackName}${userManagementId}Client`, {}]
200
301
  },
201
302
  UserPoolId: {
202
- Ref: id
303
+ Ref: resolvedIds.userPool
203
304
  },
204
- CustomDomainConfig: {
205
- CertificateArn: config.sslCertificateArn
206
- }
305
+ ...isUserPoolDomainEnabled ? {
306
+ AllowedOAuthFlowsUserPoolClient: true,
307
+ AllowedOAuthFlows: ["code", "implicit"],
308
+ AllowedOAuthScopes: [
309
+ "openid",
310
+ "email",
311
+ "phone",
312
+ "profile",
313
+ "aws.cognito.signin.user.admin"
314
+ ],
315
+ SupportedIdentityProviders: supportedIdentityProviders
316
+ } : {
317
+ AllowedOAuthFlowsUserPoolClient: false
318
+ },
319
+ EnableTokenRevocation: true,
320
+ PreventUserExistenceErrors: "ENABLED",
321
+ ...callbackUrls && callbackUrls.length > 0 ? { CallbackURLs: callbackUrls } : {},
322
+ ...logoutUrls && logoutUrls.length > 0 ? { LogoutURLs: logoutUrls } : {}
207
323
  }
208
- }
209
- };
210
- return {
211
- Resources: {
212
- [id]: {
213
- Type: "AWS::Cognito::UserPool",
214
- Properties: {
215
- UserPoolName: {
216
- "Fn::Sub": [`\${AWS::StackName}${id}`, {}]
217
- },
218
- AccountRecoverySetting: {
219
- RecoveryMechanisms: [
220
- {
221
- Name: "verified_email",
222
- Priority: 1
223
- }
224
- ]
225
- },
226
- AdminCreateUserConfig: {
227
- AllowAdminCreateUserOnly: false,
228
- UnusedAccountValidityDays: 365
229
- },
230
- AutoVerifiedAttributes: ["email"],
231
- AliasAttributes: ["phone_number", "email", "preferred_username"],
232
- Schema: [
233
- {
234
- Name: "email",
235
- Required: true,
236
- Mutable: true
237
- },
238
- {
239
- Name: "given_name",
240
- Required: true,
241
- Mutable: true
324
+ },
325
+ [resolvedIds.identityPool]: {
326
+ Type: "AWS::Cognito::IdentityPool",
327
+ Properties: {
328
+ IdentityPoolName: {
329
+ "Fn::Sub": [
330
+ `\${AWS::StackName}${userManagementId}IdentityPool`,
331
+ {}
332
+ ]
333
+ },
334
+ AllowUnauthenticatedIdentities: false,
335
+ CognitoIdentityProviders: [
336
+ {
337
+ ClientId: {
338
+ Ref: resolvedIds.userPoolClient
242
339
  },
243
- {
244
- Name: "family_name",
245
- Required: true,
246
- Mutable: true
340
+ ProviderName: {
341
+ "Fn::GetAtt": [resolvedIds.userPool, "ProviderName"]
247
342
  },
248
- {
249
- Name: "phone_number",
250
- Required: true,
251
- Mutable: true
252
- }
253
- ],
254
- DeviceConfiguration: {
255
- ChallengeRequiredOnNewDevice: true,
256
- DeviceOnlyRememberedOnUserPrompt: false
257
- },
258
- UsernameConfiguration: {
259
- CaseSensitive: false
343
+ ServerSideTokenCheck: true
260
344
  }
261
- }
262
- },
263
- [`${id}Client`]: {
264
- Type: "AWS::Cognito::UserPoolClient",
265
- Properties: {
266
- ClientName: {
267
- "Fn::Sub": [`\${AWS::StackName}${id}Client`, {}]
268
- },
269
- UserPoolId: {
270
- Ref: id
271
- },
272
- ...isUserPoolDomainEnabled ? {
273
- AllowedOAuthFlowsUserPoolClient: true,
274
- AllowedOAuthFlows: ["code", "implicit"],
275
- AllowedOAuthScopes: [
276
- "openid",
277
- "email",
278
- "phone",
279
- "profile",
280
- "aws.cognito.signin.user.admin"
281
- ],
282
- SupportedIdentityProviders: supportedIdentityProviders
283
- } : {
284
- AllowedOAuthFlowsUserPoolClient: false
285
- },
286
- EnableTokenRevocation: true,
287
- PreventUserExistenceErrors: "ENABLED",
288
- ...callbackUrls && callbackUrls.length > 0 ? { CallbackURLs: callbackUrls } : {},
289
- ...logoutUrls && logoutUrls.length > 0 ? { LogoutURLs: logoutUrls } : {}
290
- }
291
- },
292
- [`${id}IdentityPool`]: {
293
- Type: "AWS::Cognito::IdentityPool",
294
- Properties: {
295
- IdentityPoolName: {
296
- "Fn::Sub": [`\${AWS::StackName}${id}IdentityPool`, {}]
297
- },
298
- AllowUnauthenticatedIdentities: false,
299
- CognitoIdentityProviders: [
300
- {
301
- ClientId: {
302
- Ref: `${id}Client`
303
- },
304
- ProviderName: {
305
- "Fn::GetAtt": [id, "ProviderName"]
306
- },
307
- ServerSideTokenCheck: true
308
- }
309
- ]
310
- }
311
- },
312
- ...userPoolDomainConfig,
313
- ...apiRoleConfig
314
- }
315
- };
316
- }
317
- );
318
-
319
- // src/iac/packs/auth.ts
320
- var addAuth = createResourcePack((config) => {
321
- const {
322
- userManagementId,
323
- authRoleName,
324
- unauthRoleName,
325
- callbackUrls,
326
- logoutUrls,
327
- supportedIdentityProviders,
328
- apiCloudFunctionGatewayId,
329
- apiStageName,
330
- adminGroupId,
331
- userManagementAdminGroupName
332
- } = config;
333
- return new SimpleCFT().applyPack(addUserManagement, {
334
- id: userManagementId,
335
- authRoleName,
336
- unauthRoleName,
337
- apiGatewayRESTAPIId: {
338
- Ref: apiCloudFunctionGatewayId
339
- },
340
- apiStageName,
341
- ...config.enableUserPoolDomain === false ? {
342
- enableUserPoolDomain: false
343
- } : {
344
- enableUserPoolDomain: true,
345
- domainName: {
346
- Ref: config.domainNameParameterName
347
- },
348
- hostedZoneId: {
349
- Ref: config.hostedZoneIdParameterName
350
- },
351
- sslCertificateArn: {
352
- Ref: config.sslCertificateId
353
- },
354
- baseDomainRecordAliasTargetDNSName: {
355
- "Fn::GetAtt": [config.mainCDNCloudFrontId, "DomainName"]
345
+ ]
346
+ }
356
347
  },
357
- callbackUrls,
358
- logoutUrls,
359
- supportedIdentityProviders
360
- }
361
- }).patch({
362
- Resources: {
348
+ ...userPoolDomainConfig,
349
+ ...apiRoleConfig,
363
350
  [adminGroupId]: {
364
351
  Type: "AWS::Cognito::UserPoolGroup",
365
352
  Properties: {
366
353
  GroupName: userManagementAdminGroupName,
367
354
  UserPoolId: {
368
- Ref: userManagementId
355
+ Ref: resolvedIds.userPool
369
356
  },
370
357
  Description: "Application admin group."
371
358
  }
@@ -985,7 +972,7 @@ var addGateway = createResourcePack(
985
972
  scopes: authScopes = ["phone", "email", "openid", "profile"],
986
973
  type: authType = "COGNITO_USER_POOLS",
987
974
  providerARNs,
988
- identitySource = "method.request.header.authorization"
975
+ identitySource = "method.request.header.Authorization"
989
976
  } = !!authorizer && typeof authorizer === "object" ? authorizer : {};
990
977
  const authorizerId = `${id}CustomAuthorizer`;
991
978
  const authProps = !!authorizer ? {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@resistdesign/voltra",
3
- "version": "3.0.0-alpha.39",
3
+ "version": "3.0.0-alpha.40",
4
4
  "description": "With our powers combined!",
5
5
  "homepage": "https://voltra.app",
6
6
  "repository": "git@github.com:resistdesign/voltra.git",
package/iac/packs/auth/user-management.d.ts DELETED
@@ -1,106 +0,0 @@
1
- /**
2
- * Configuration for adding Cognito user management resources.
3
- */
4
- type AddUserManagementConfigBase = {
5
- /**
6
- * Base id for Cognito resources.
7
- */
8
- id: string;
9
- /**
10
- * IAM role name for authenticated users.
11
- */
12
- authRoleName: string;
13
- /**
14
- * IAM role name for unauthenticated users.
15
- */
16
- unauthRoleName: string;
17
- /**
18
- * Alias target DNS name for the base domain record.
19
- */
20
- baseDomainRecordAliasTargetDNSName?: any;
21
- /**
22
- * API Gateway REST API id for authenticated access.
23
- */
24
- apiGatewayRESTAPIId?: any;
25
- /**
26
- * API Gateway stage name for authenticated access.
27
- */
28
- apiStageName?: any;
29
- };
30
- type AddUserManagementConfigWithDomain = AddUserManagementConfigBase & {
31
- /**
32
- * Enable Cognito Hosted UI/OAuth redirect mode by creating a custom user pool
33
- * domain plus Route53 records.
34
- *
35
- * When enabled, the generated user pool client uses OAuth flows (`code`,
36
- * `implicit`) and supports callback/logout/provider configuration.
37
- *
38
- * Defaults to `true`. Set `false` to opt out of Hosted UI resources and use
39
- * SDK/API-based sign-in flows only.
40
- */
41
- enableUserPoolDomain?: true;
42
- /**
43
- * Base domain name used to create the auth subdomain.
44
- *
45
- * The pack creates a Cognito domain at `auth.<domainName>`.
46
- */
47
- domainName: any;
48
- /**
49
- * Route53 hosted zone id for DNS records under `domainName`.
50
- */
51
- hostedZoneId: any;
52
- /**
53
- * ACM certificate ARN (in `us-east-1`) for the Cognito custom domain.
54
- */
55
- sslCertificateArn: any;
56
- /**
57
- * OAuth callback URLs for Hosted UI/federated redirect flows.
58
- *
59
- * These must be valid redirect URLs accepted by Cognito for the app client.
60
- * They are required by Cognito when OAuth flows are enabled.
61
- */
62
- callbackUrls?: any[];
63
- /**
64
- * OAuth logout redirect URLs for Hosted UI sign-out.
65
- */
66
- logoutUrls?: any[];
67
- /**
68
- * Supported identity providers for Hosted UI/OAuth flows.
69
- *
70
- * Defaults to `["COGNITO"]`.
71
- * Use Cognito provider names such as `"COGNITO"`, `"Google"`,
72
- * `"SignInWithApple"`, `"LoginWithAmazon"`, or names for configured OIDC/SAML
73
- * providers.
74
- */
75
- supportedIdentityProviders?: any[];
76
- };
77
- type AddUserManagementConfigWithoutDomain = AddUserManagementConfigBase & {
78
- /**
79
- * Disable Cognito Hosted UI/OAuth redirect configuration.
80
- *
81
- * In this mode, the generated user pool client disables OAuth hosted-UI flows
82
- * (`AllowedOAuthFlowsUserPoolClient: false`) so callback/logout/provider
83
- * settings are intentionally disallowed.
84
- */
85
- enableUserPoolDomain: false;
86
- domainName?: never;
87
- hostedZoneId?: never;
88
- sslCertificateArn?: never;
89
- baseDomainRecordAliasTargetDNSName?: never;
90
- callbackUrls?: never;
91
- logoutUrls?: never;
92
- supportedIdentityProviders?: never;
93
- };
94
- /**
95
- * Configuration for {@link addUserManagement}.
96
- */
97
- export type AddUserManagementConfig = AddUserManagementConfigWithDomain | AddUserManagementConfigWithoutDomain;
98
- /**
99
- * Add Cognito user management resources to a template.
100
- *
101
- * @param config - User management configuration.
102
- * @returns CloudFormation template fragment.
103
- * @group Resource Packs
104
- */
105
- export declare const addUserManagement: import("../..").ResourcePackApplier<AddUserManagementConfig>;
106
- export {};